LibreNMS Authenticated RCE module and ESC15 improvements
This week the Metasploit Framework was blessed with an authenticated RCE module in LibreNMS, an autodiscovering PHP/MySQL-based network monitoring system. An authenticated attacker can create dangerous directory names on the system and alter sensitive configuration parameters through the web portal. These two defects combined to allow arbitrary OS commands inside shell_exec() calls, thus achieving arbitrary code execution.
Additionally, improvements have been made to the icpr_cert module. Metasploit users reported that when running the module with the option to add application policy OIDs to the template—typically done when attempting to exploit ESC15—the module would say that it ran successfully against a server patched for ESC15. However, no certificate application policy OIDs would be returned in the response. This behavior indicated that the server had been patched for ESC15 (CVE-2024-49019). In response to this, the module has been updated to raise an error in this scenario, notifying the user that the target is likely patched and the exploit will not be successful.
New module content (1)
LibreNMS Authenticated RCE (CVE-2024-51092)
Authors: Takahiro Yokoyama and murrant (Tony Murray)
Type: Exploit
Pull request: #19805 contributed by Takahiro-Yoko
Path: linux/http/librenms_authenticated_rce_cve_2024_51092
AttackerKB reference: CVE-2024-51092
Description: New module for exploiting CVE-2024-51092, an authenticated command injection in LibreNMS. It allows the attacker to run system commands and gain remote code execution (RCE). However, it requires a set of working credentials.
Bugs fixed (2)
#19808 from metasploit weekly
